K8S API资源—ApiGroup、Resources和Verbs
一、Kubernetets API总览
REST API 是 Kubernetes 的基础架构。组件之间的所有操作和通信,以及外部用户命令都是 API Server 处理的 REST API 调用。因此,Kubernetes 平台中的所有资源被视为 API 对象,并且在 API 中都有对应的定义项。
API 版本控制
为了消除字段或重组资源表示形式,Kubernetes 支持多个 API 版本,每个版本在不同的 API 路径下。例如:/api/v1 或者 /apis/extensions/v1beta1。
版本是在 API 级别而非资源或字段级别配置的:
- 确保 API 呈现出清晰一致的系统资源和行为视图。
- 允许控制对已寿终正寝的 API 和/或实验性 API 的访问。 JSON 和 Protobuf 序列化模式在出现模式变更时均遵循这些准则。以下说明同时适用于这两种格式。
API 结构组成
1 | https://127.0.0.1:6443/api/v1/pods |
解释 组成
API Server address https://127.0.0.1:6443/
Core API group api/v1
API Object pods
1 | https://127.0.0.1:6443/apis/extensions/v1beta/deployments |
解释 组成
API Server address https://127.0.0.1:6443/
Core API group apis
API Group name extensions
API Version v1beta
API Object deployments
二、API版本列表
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 | apiGroups APIgroup就是apiversion中的一部分,apiversion = Apigroup/version>>kubectl api-versionadmissionregistration.k8s.io/v1admissionregistration.k8s.io/v1beta1apiextensions.k8s.io/v1apiextensions.k8s.io/v1beta1apiregistration.k8s.io/v1apiregistration.k8s.io/v1beta1apps/v1authentication.k8s.io/v1authentication.k8s.io/v1beta1authorization.k8s.io/v1authorization.k8s.io/v1beta1autoscaling/v1autoscaling/v2beta1autoscaling/v2beta2batch/v1batch/v1beta1certificates.k8s.io/v1beta1coordination.k8s.io/v1coordination.k8s.io/v1beta1discovery.k8s.io/v1beta1events.k8s.io/v1beta1extensions/v1beta1networking.k8s.io/v1networking.k8s.io/v1beta1node.k8s.io/v1beta1policy/v1beta1rbac.authorization.k8s.io/v1rbac.authorization.k8s.io/v1beta1scheduling.k8s.io/v1scheduling.k8s.io/v1beta1storage.k8s.io/v1storage.k8s.io/v1beta1v1 core: 一般在可以直接设为空 |
三、Resources
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 | $ kubectl api-resources -o wideNAME SHORTNAMES APIGROUP NAMESPACED KIND VERBSbindings true Binding [create]componentstatuses cs false ComponentStatus [get list]configmaps cm true ConfigMap [create delete deletecollection get list patch update watch]endpoints ep true Endpoints [create delete deletecollection get list patch update watch]events ev true Event [create delete deletecollection get list patch update watch]limitranges limits true LimitRange [create delete deletecollection get list patch update watch]namespaces ns false Namespace [create delete get list patch update watch]nodes no false Node [create delete deletecollection get list patch update watch]persistentvolumeclaims pvc true PersistentVolumeClaim [create delete deletecollection get list patch update watch]persistentvolumes pv false PersistentVolume [create delete deletecollection get list patch update watch]pods po true Pod [create delete deletecollection get list patch update watch]podtemplates true PodTemplate [create delete deletecollection get list patch update watch]replicationcontrollers rc true ReplicationController [create delete deletecollection get list patch update watch]resourcequotas quota true ResourceQuota [create delete deletecollection get list patch update watch]secrets true Secret [create delete deletecollection get list patch update watch]serviceaccounts sa true ServiceAccount [create delete deletecollection get list patch update watch]services svc true Service [create delete get list patch update watch]mutatingwebhookconfigurations admissionregistration.k8s.io false MutatingWebhookConfiguration [create delete deletecollection get list patch update watch]validatingwebhookconfigurations admissionregistration.k8s.io false ValidatingWebhookConfiguration [create delete deletecollection get list patch update watch]customresourcedefinitions crd,crds apiextensions.k8s.io false CustomResourceDefinition [create delete deletecollection get list patch update watch]apiservices apiregistration.k8s.io false APIService [create delete deletecollection get list patch update watch]controllerrevisions apps true ControllerRevision [create delete deletecollection get list patch update watch]daemonsets ds apps true DaemonSet [create delete deletecollection get list patch update watch]deployments deploy apps true Deployment [create delete deletecollection get list patch update watch]replicasets rs apps true ReplicaSet [create delete deletecollection get list patch update watch]statefulsets sts apps true StatefulSet [create delete deletecollection get list patch update watch]tokenreviews authentication.k8s.io false TokenReview [create]localsubjectaccessreviews authorization.k8s.io true LocalSubjectAccessReview [create]selfsubjectaccessreviews authorization.k8s.io false SelfSubjectAccessReview [create]selfsubjectrulesreviews authorization.k8s.io false SelfSubjectRulesReview [create]subjectaccessreviews authorization.k8s.io false SubjectAccessReview [create]horizontalpodautoscalers hpa autoscaling true HorizontalPodAutoscaler [create delete deletecollection get list patch update watch]cronjobs cj batch true CronJob [create delete deletecollection get list patch update watch]jobs batch true Job [create delete deletecollection get list patch update watch]certificatesigningrequests csr certificates.k8s.io false CertificateSigningRequest [create delete deletecollection get list patch update watch]leases coordination.k8s.io true Lease [create delete deletecollection get list patch update watch]endpointslices discovery.k8s.io true EndpointSlice [create delete deletecollection get list patch update watch]events ev events.k8s.io true Event [create delete deletecollection get list patch update watch]ingresses ing extensions true Ingress [create delete deletecollection get list patch update watch]ingresses ing networking.k8s.io true Ingress [create delete deletecollection get list patch update watch]networkpolicies netpol networking.k8s.io true NetworkPolicy [create delete deletecollection get list patch update watch]runtimeclasses node.k8s.io false RuntimeClass [create delete deletecollection get list patch update watch]poddisruptionbudgets pdb policy true PodDisruptionBudget [create delete deletecollection get list patch update watch]podsecuritypolicies psp policy false PodSecurityPolicy [create delete deletecollection get list patch update watch]clusterrolebindings rbac.authorization.k8s.io false ClusterRoleBinding [create delete deletecollection get list patch update watch]clusterroles rbac.authorization.k8s.io false ClusterRole [create delete deletecollection get list patch update watch]rolebindings rbac.authorization.k8s.io true RoleBinding [create delete deletecollection get list patch update watch]roles rbac.authorization.k8s.io true Role [create delete deletecollection get list patch update watch]priorityclasses pc scheduling.k8s.io false PriorityClass [create delete deletecollection get list patch update watch]csidrivers storage.k8s.io false CSIDriver [create delete deletecollection get list patch update watch]csinodes storage.k8s.io false CSINode [create delete deletecollection get list patch update watch]storageclasses sc storage.k8s.io false StorageClass [create delete deletecollection get list patch update watch]volumeattachments storage.k8s.io false VolumeAttachment [create delete deletecollection get list patch update watch] |
四、角色示例
在以下示例中,我们仅截取展示了 rules 对应部分, 允许读取在核心 API 组 下的 Pods:
1 2 3 4 | rules:- apiGroups: [""] resources: ["pods"] verbs: ["get", "list", "watch"] |
允许读/写在 “extensions” 和 “apps” API 组中的 “deployments” 资源:
1 2 3 4 | rules:- apiGroups: ["extensions", "apps"] resources: ["deployments"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] |
允许读取 “pods” 和读/写 “jobs” :
1 2 3 4 5 6 7 | rules:- apiGroups: [""] resources: ["pods"] verbs: ["get", "list", "watch"]- apiGroups: ["batch", "extensions"] resources: ["jobs"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] |
允许读取名称为 “my-config”的 ConfigMap (需要通过 RoleBinding 绑定带某名字空间中特定的 ConfigMap):
1 2 3 4 5 | rules:- apiGroups: [""] resources: ["configmaps"] resourceNames: ["my-config"] verbs: ["get"] |
允许读取在核心组中的 “nodes” 资源(因为 Node 是集群范围的,所以需要 ClusterRole 绑定到 ClusterRoleBinding 才生效)
1 2 3 4 | rules:- apiGroups: [""] resources: ["nodes"] verbs: ["get", "list", "watch"] |
感谢您的阅读,如果您觉得阅读本文对您有帮助,请点一下“推荐”按钮。本文欢迎各位转载,但是转载文章之后必须在文章页面中给出作者和原文连接。
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· TypeScript + Deepseek 打造卜卦网站:技术与玄学的结合
· 阿里巴巴 QwQ-32B真的超越了 DeepSeek R-1吗?
· 【译】Visual Studio 中新的强大生产力特性
· 【设计模式】告别冗长if-else语句:使用策略模式优化代码结构
· AI与.NET技术实操系列(六):基于图像分类模型对图像进行分类